written by Duane Tinker, CHC
President of Dental Compliance Specialists, LLC
Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any agency of the U.S. government.
Cyber security threats are continually evolving and they pose a very real and significant threat to dental practices. Ransomware is a malicious software that takes over a victim’s hard drive when they click on an infected advertisement, email, attachment, or website and encrypts the contents of a device – and any other connected electronics – which the hacker then demands bitcoin or cryptocurrency payments to unlock. With an adequate data backup you may be able to recover from a ransomware situation, but you will still have a mess to deal with.
The HHS-Office for Civil Rights (OCR) is the federal agency tasked with the responsibility for enforcing HIPAA regulations, which include information security requirements for dental offices. Earlier this year OCR declared that Covered Entities who are victimized by Ransomware are to treat the security incident as a HIPAA breach (https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf). Such breaches almost always involved 500 or more persons. HIPAA breaches that effect 500 or more people require the Covered Entity to notify effected patients, OCR, the local television and newspaper media within 60 days of the discovery of the breach. Failure to make timely notification cost a Covered Entity $475,000 earlier this year.
OCR currently investigates every breach that effects 500 or more persons. On the table in those investigations are not just the details of the breach (how it happened, why it happened, what was done to mitigate the situation), but it includes in an ‘A’ to ‘Z’ audit of your HIPAA compliance program. This is not something anyone should volunteer for, even if the office’s compliance program is top notch. OCR has become very aggressive, ruthless in their enforcement efforts; this agency scares me.
OCR’s breach investigations take from 1.5 to 6 years to investigate and resolve. While no dentist has paid a large settlement to OCR I know it is coming – soon. Fines to resolve HIPAA violations have risen from $100,000 in 2008 to around $2 million in 2017. Prepare now, so you don’t find yourself heading straight to bankruptcy if a breach happens to you.
Here are several steps every dental practice should take to prepare for (and hopefully prevent) a HIPAA breach:
- Talk with your Risk Management Advisor to ensure you have adequate (type and amount) of cyber security coverage. It would not be unreasonable to have one or two million in coverage (really). You can obtain a million dollars coverage (per incident) for about $450 a year. The resources you need to help you through a major HIPAA breach or security incident are VERY expensive. I cannot stress enough the importance of having adequate coverage. A breach can bankrupt your practice.
- Ensure your office uses a reputable anti-virus/ anti-malware. There are hackers out there selling ‘anti-virus’ for free (or cheap). Their anti-virus is really a gateway for cyber infections, such as ransomware, keyloggers, spyware and other damaging software.
- Ensure your office uses a properly configured firewall. Be sure to keep your firmware up-to-date.
- Use a Virtual Private Network (VPN) for all data transmissions (Internet searches, claims submission, and ALL movement of data from one computer to another).
- Do not allow patients or other guests to use the same WIFI you and your staff use to conduct business. Offices should not use their business WIFI to stream music. Use your guest WIFI for this purpose.
- Train your staff on cyber security issues. There are both paid and free service available. Keep in mind free is not always the most appropriate option. These threats evolve very rapidly. Keep up. In the last two weeks there are three major viruses that have affected healthcare providers worldwide.
- Ensure your practice has adequate written policies and procedures relative to the HIPAA Privacy, Breach Notification and Security Rules. I’ve written and re-written said policies for a client who was being investigated by OCR. I FINALLY got it right. I’m an expert and I’m a pretty smart guy, but it took me multiple tries to pass muster with OCR. What are the odds you’ll get it right with no experience? I’m not a dentist, but I’m pretty sure you would not allow me to perform a root canal on you. As silly as that sounds how does doing your own compliance program make sense?
- Ensure you and your staff have adequate training records. In an investigation, OCR will want to see six years of training records. Don’t have them? Better change this going forward.
- Ensure your practice’s Notice of Privacy Practices is up-to-date. Odds are, unless you are a client, your NPP is not up-to-date. You get an updated NPP from OCR for free: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
- Ensure you have Business Associate Agreements signed by you and your HIPAA Business Associates (outside organizations that have access to your patients’ PHI). One practice recently received a $31,000 fine from OCR for not entering into a BAA prior to giving a vendor access to PHI (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH). Need a BAA? OCR has a template you can implement (https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html?language=en). As you can see you have some choices to make to create BAA. Many of these choices have significant implications. Be sure to have your BAA reviewed by a competent consultant and/or your legal counsel.
- The HIPAA Security Rule requires dental practices to complete a periodic Risk Analysis. As a rule of thumb – if there are no changes to your I.T. environment then the RA needs to be done at least annually. However, if there are changes to your I.T. environment you must redo a RA. Immediately following a RA you must manage any known vulnerabilities/ risks. This is called Risk Management (RM), which must be done in a timely manner (30 days). Here is more information on the RA/ RM process: https://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html The feds even put together a Risk Analysis process: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool There are three parts to these tools. Each part is 150 pages. You know, time is money. Sometimes it makes sense to get help, so you can quickly fulfill things you need to fulfill and get on with other things. This is one area it may well make sense to get help, but what do I know, I’m just who vendor who has something to sell you.
“Is this all I have to do to be compliance with HIPAA”, you ask? Not but it’s a good start, a very good start. The fact of the matter is you will never be ‘done’ getting compliant. Rules, regulations, and legal interpretations are continually evolving. Get connected with someone you know, like and trust (and who knows what they are talking about) to coach you, guide you through the ongoing process of staying in compliance with HIPAA and other government rules and regulations. Compliance may not seem important until you have a problem, then compliance consumes you. I encourage you to take my word for it because experience is a difficult teacher and OCR is a nasty headmaster that should not be reckoned with.
Duane ‘Tink’ Tinker is a consultant who has helped hundreds of dental practices establish and maintain their compliance programs. Tink is a highly sought Subject Matter Expert in the field of Dental Compliance. He is a trusted friend and advisor for countless dentists and dental service organizations. To connect go to www.DentalCompliance.com, call (817) 755-0035 or e-mail Toothcop@DentalCompliance.com.